Google has filled a security hole in the Android Market that would allow the installation of apps onto a user’s device without the user’s consent to the install. The hole even allowed the installation of an app on the user device without having physical access to the Android smartphone or tablet. The hole was in the cross-site scripting or XSS on the Android Market.

The persistent XSS vulnerability was in the description fields for apps on the Android Market web store. The field allows nefarious types to inject JavaScript code that was executed when the page was accessed on the browser. The malicious code could be triggered remotely to install a malicious app.

The only caveat to exploit the hole was that the user had to be logged into the web store. The exploit was brought to the attention of Google by John Oberheide, a security specialist for Android devices.

[via H-online